Do not allow blank passwords when authenticating against LDAP.

This commit is contained in:
Craig Andrews 2010-09-21 18:04:28 -04:00
parent 42dd460d3b
commit 8d019c03ee

View File

@ -144,6 +144,12 @@ class LdapCommon
if(!$entry){ if(!$entry){
return false; return false;
}else{ }else{
if(empty($password)) {
//NET_LDAP2 will do an anonymous bind if bindpw is not set / empty string
//which causes all login attempts that involve a blank password to appear
//to succeed. Which is obviously not good.
return false;
}
$config = $this->get_ldap_config(); $config = $this->get_ldap_config();
$config['binddn']=$entry->dn(); $config['binddn']=$entry->dn();
$config['bindpw']=$password; $config['bindpw']=$password;